Closed Sharparam closed 6 months ago
I'm pretty sure this is a problem with the DNSSEC configuration and not the add-on.
On the analyzing site you need to enter the full DNS name not just the top domain, i.e. https://dnssec-analyzer.verisignlabs.com/sg1._domainkey.sharparam.com
It seems the problem comes from the entry only being a CNANE record, and the sendgrid.net domain it points to not supporting DNSSEC.
Ah, I see. In that case this would be up to SendGrid to fix, but seems doubtful they would. There's apparently some kind of downside to DNSSEC which can make attacks worse.
This sadly makes the DNSSEC verification feature feel kinda pointless, since the big players don't seem to be using DNSSEC (Google doesn't, for one), so "DNSSEC failed" is not a red flag when legit players don't use it.
Yes DNSSEC semms to not be very commonly used. So treating not DKIM signed keys even just as warnings adds to much noise to be useful.
I think the positive lock symbol for DNSSEC signed keys is still nice, but the DNSSEC feature is unfortunately not as useful as I hoped when I implemented it.
But unless it will become a big burden to maintain still something that I currently intend to continue to support.
I will close the issue as I think all your questions are now answered, if not feel free to reopen it.
There have been some issues made here in the past about DNSSEC, but none of the fixes discussed in those seem to work for me.
I've switched so the extension is using
libunbound
instead of the JS lib, and tried to explicitly use both8.8.8.8
and1.1.1.1
as the DNS server instead of the OS configuration. I am also not using any of the caching options or saving of DKIM keys.Mails get the "Valid (Signed by <domain>)" but then the yellow warning with "DKIM key is not signed by DNSSEC", even though my domain has DNSSEC enabled, and the DNSSEC debugger shows no issues: https://dnssec-analyzer.verisignlabs.com/sharparam.com
The output from
dig sg1._domainkey.sharparam.com +dnssec
:And the log output (with the debug logging enabled) from the extension in Thunderbird when verifying a DKIM signature (with "Reverify DKIM signature"):
I'm using Thunderbird 115.7.0 with version 5.4.0 of the DKIM Verifier extension.
OS is Arch Linux:
Any ideas what might be going wrong?